On 09/13/2013 04:12 AM, Patrick Pelletier wrote: > On 9/12/13 1:18 PM, Dave Crocker wrote: > >> "privacy properties of IETF protocols and concrete ways in which >> those could be improved." > > One obvious thing is the amount of (usually unnecessary) information > leaked by the User-Agent field in HTTP. > > Should we downgrade the User-Agent field (section 14.43 of RFC 2616) > from a SHOULD to a MAY?
I think everyone finds those values problematic, and not only for privacy reasons. But yes, if you believe [1] then its probably the biggest contributor to browser fingerprinting that's in an IETF spec. (No idea if that site's evaluation is sound myself though.) [1] https://panopticlick.eff.org/ > Or, if that's too radical, should we standardize a small number of fixed > strings to use in the User-Agent field? (For example, "Desktop/1.0" for > desktop browsers, "Mobile/1.0" for mobile browsers, "Text/1.0" for text > browsers like Lynx, "Batch/1.0" for non-interactive clients like curl > which are performing a task more specific than crawling the web, and > "Robot/1.0" for clients which are crawling the web?) Interesting. An IANA registry of those kinds of value might just end up like the UA string though, which also started out nice and simple. Maybe ask this on httpbis if you don't get more feedback here? That's where you'd find folks who know if it could be done and who could do it. S. > > --Patrick > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
